From 840af98c510818907b65f6a47a012a2eb48f6c76 Mon Sep 17 00:00:00 2001 From: Magnus Andersson Date: Wed, 30 Oct 2024 12:25:44 +0100 Subject: [PATCH] Open lb port to source ip during setup and hardening --- IaC-test/lb.tf | 4 +++- IaC-test/securitygroups-lb.tf | 18 ++++++++++++++++++ 2 files changed, 21 insertions(+), 1 deletion(-) create mode 100644 IaC-test/securitygroups-lb.tf diff --git a/IaC-test/lb.tf b/IaC-test/lb.tf index 69b442c..6f1305a 100644 --- a/IaC-test/lb.tf +++ b/IaC-test/lb.tf @@ -6,6 +6,7 @@ resource "openstack_networking_port_v2" "lb1-port-dco" { # A list of security group ID security_group_ids = [ resource.openstack_networking_secgroup_v2.ssh-from-jump-hosts-dco.id, + resource.openstack_networking_secgroup_v2.lb-dco.id ] admin_state_up = "true" provider = openstack.dco @@ -28,7 +29,8 @@ resource "openstack_compute_instance_v2" "lb1-node-dco" { key_pair = "${var.keynameworkers}" provider = openstack.dco security_groups = [ - resource.openstack_networking_secgroup_v2.ssh-from-jump-hosts-dco.name + resource.openstack_networking_secgroup_v2.ssh-from-jump-hosts-dco.name, + resource.openstack_networking_secgroup_v2.lb-dco.name ] block_device { diff --git a/IaC-test/securitygroups-lb.tf b/IaC-test/securitygroups-lb.tf new file mode 100644 index 0000000..a686ed4 --- /dev/null +++ b/IaC-test/securitygroups-lb.tf @@ -0,0 +1,18 @@ +# Security groups lb-frontend +resource "openstack_networking_secgroup_v2" "lb-dco" { + name = "lb-frontend" + description = "Ingress lb traffic to allow." + provider=openstack.dco +} + +resource "openstack_networking_secgroup_rule_v2" "lb_ingress_rule_v4_dco" { + direction = "ingress" + ethertype = "IPv4" + protocol = "tcp" + port_range_min = "8443" + port_range_max = "8443" + provider = openstack.dco + remote_ip_prefix = "87.251.31.153/32" + security_group_id = openstack_networking_secgroup_v2.lb-dco.id +} +